Network Security and ISA Server

1
Network Security and ISA Server

• Paul Hogan
• Ward Solutions

2
Session Prerequisites

• Hands-on experience with Windows 2000 or Windows
  Server 2003
• Working knowledge of networking, including basics
  of security
• Basic knowledge of network security-assessment
  strategies

Level 300
3
Agenda

• 1000 1100 Network Security
• 1100 1115 Break
• 1130 1200 Securing SQL Server
• 1200 100 Lunch
• 100 200 Securing Exchange
• 230 215 Break
• 215 315 Lab Sessions
• 315 QA

4
This sessions are about

• about operational security
• The easy way is not always the secure way
• Networks are usually designed in particular ways
• In many cases, these practices simplify attacks
• In some cases these practices enable attacks
• In order to avoid these practices it helps to
  understand how an attacker can use them

5
This sessions are NOT

• a hacking tutorial
• Hacking networks you own can be enlightening
• HACKING NETWORKS YOU DO NOT OWN IS ILLEGAL
• demonstrating vulnerabilities in Windows
• Everything we show stems from operational
  security or custom applications
• Knowing how Windows operates is critical to
  avoiding problems
• for the faint of heart

6
The Sessions
7
The Network
8
Introducing the Case-Study Scenario
9
Understanding Defense-in-Depth

• Using a layered approach
• Increases an attackers risk of detection
• Reduces an attackers chance of success

10
Why Does Network Security Fail?
Network security fails in several common areas,
including

• Human awareness
• Policy factors
• Hardware or software misconfigurations
• Poor assumptions
• Ignorance
• Failure to stay up-to-date

11
What we will cover

• How to Implement Perimeter defenses
• How ISA Server protects networks
• Using Windows Firewalls to Protect Clients
• How to Protect Wireless Networks

12
Purpose and Limitations of Perimeter Defenses

• Properly configured firewalls and border routers
  are the cornerstone for perimeter security
• The Internet and mobility increase security risks
• VPNs have exposed a destructive, pernicious entry
  point for viruses and worms in many organizations
  
• Traditional packet-filtering firewalls only block
  network ports and computer addresses
• Most modern attacks occur at the application
  layer

13
Purpose and Limitations of Intrusion Detection

• Detects the pattern of common attacks and records
  suspicious traffic in event logs and/or alerts
  administrators
• Integrates with other firewall features to
  prevent common attacks
• Threats and vulnerabilities are constantly
  evolving, which leaves systems vulnerable until a
  new attack is known and a new signature is
  created and distributed

14
Implementing Network-Based Intrusion-Detection
Systems
Provides rapid detection and reporting of
external malware attacks
Network-based intrusion-detection system
Important points to note

• Network-based intrusion-detection systems are
  only as good as the process that is followed once
  an intrusion is detected
• ISA Server 2004 provides network-based
  intrusion-detection abilities

15
Perimeter Connections
Branch Office
16
Firewall Design Three Homed
17
Firewall Design Back-to-Back
18
Software vs Hardware Firewalls
19
Types of Firewalls

• Packet Filtering
• Stateful Inspection
• Application-Layer Inspection

Multi-layer inspection (including
application-layer filtering)
20
Agenda

• Introduction/Defense in Depth
• Using Perimeter Defenses
• Using ISA Server to Protect Perimeters
• Using Windows Firewall to Protect Clients
• Protecting Wireless Networks
• Protecting Networks by Using IPSec

21
Protecting Perimeters

• ISA Server has full screening capabilities
• Packet filtering
• Stateful inspection
• Application-level inspection
• ISA Server blocks all network traffic unless you
  allow it
• ISA Server is ICSA and Common Criteria certified

22
Protecting Clients
23
Protecting Web Servers

• Web Publishing Rules
• Protect Web servers behind the firewall from
  external attacks by inspecting HTTP traffic and
  ensuring it is properly formatted and complies
  with standards.
• Inspection of SSL traffic
• Inspects incoming encrypted Web requests for
  proper formatting and standards compliance.
• Will optionally re-encrypt the traffic before
  sending them to your Web server

24
URLScan

• ISA Server Feature Pack 1 includes URLScan 2.5
  for ISA Server
• Allows URLScan ISAPI filter to be applied at the
  network perimeter
• General blocking for all Web servers behind the
  firewall
• Perimeter blocking for known and newly discovered
  attacks

Web Server 1
Web Server 2
ISA Server
Web Server 3
25
Protecting Exchange Server
26
Demonstration 1Application-Layer Inspection in
ISA Server URL ScanWeb PublishingMessage
Screener
27
Traffic that Bypasses Firewall Inspection

• SSL tunnels through traditional firewalls because
  it is encrypted, which allows viruses and worms
  to pass through undetected and infect internal
  servers.
• VPN traffic is encrypted and cant be inspected
• Instant Messenger (IM) traffic often is not
  inspected and may be used to transfer files in
  addition to be used for messaging.

28
Inspecting All Traffic

• Use intrusion detection and other mechanisms to
  inspect VPN traffic after it has been decrypted
• Remember Defense in Depth
• Use a firewall that can inspect SSL traffic
• Expand inspection capabilities of your firewall
• Use firewall add-ons to inspect IM traffic

29
SSL Inspection

• SSL tunnels through traditional firewalls because
  it is encrypted, which allows viruses and worms
  to pass through undetected and infect internal
  servers.
• ISA Server pre-authenticates users, eliminating
  multiple dialog boxes and allowing only valid
  traffic through.
• ISA Server can decrypt and inspect SSL traffic.
  Inspected traffic can be sent to the internal
  server re-encrypted or in the clear.

30
Demonstration 2SSL Inspection in ISA Server
31
ISA Server Hardening

• Secure your Server Wizard
• Review Bastion Host information in Security
  Guides
• Disable unnecessary services
• Harden the Network Stack
• Disable unnecessary network protocols on the
  external network interface
• File and print sharing
• Client for Microsoft Networks
• NetBIOS over TCP/IP

32
Best Practices

• Use access rules that only allow requests that
  are specifically allowed
• Use ISA servers authentication capabilities to
  restrict and log Internet access
• Configure Web publishing rules only for specific
  URLs
• Use SSL Inspection to inspect encrypted data that
  is entering your network

33
Demonstration 3Internet Connection Firewall
(ICF) Configuring ICF ManuallyTesting
ICFReviewing ICF Log FilesConfiguring Group
Policy Settings
34
Agenda

• Introduction/Defense in Depth
• Using Perimeter Defenses
• Using ISA Server to Protect Perimeters
• Using Windows Firewall to Protect Clients
• Protecting Wireless Networks
• Protecting Networks by Using IPSec

35
New Security Features in Windows Firewall
On by default
On with no exceptions
ü
ü
Windows Firewall exceptions list
Boot-time security
ü
ü
Global configuration and restore defaults
Multiple profiles
ü
ü
RPC support
ü
Local subnet restrictions
ü
Unattended setup support
ü
Command-line support
ü
36
Configuring Windows Firewall for Antivirus Defense
37
Agenda

• Introduction/Defense in Depth
• Using Perimeter Defenses
• Using ISA Server to Protect Perimeters
• Using Windows Firewall to Protect Clients
• Protecting Wireless Networks
• Protecting Networks by Using IPSec

38
Wireless Security Issues

• Limitations of Wired Equivalent Privacy (WEP)
• WEP is inherently weak to due poor key exchange.
• WEP keys are not dynamically changed and
  therefore vulnerable to attack.
• No method for provisioning WEP keys to clients.
• Limitations of MAC Address Filtering
• Scalability - Must be administered and propagated
  to all APs. List may have a size limit.
• No way to associate a MAC to a username.
• User could neglect to report a lost card.
• Attacker could spoof an allowed MAC address.

39
Possible Solutions

• VPN Connectivity
• PPTP
• L2TP
• Third Party
• IPSec
• Many vendors
• Password-based Layer 2 Authentication
• Cisco LEAP
• RSA/Secure ID
• IEEE 802.1x PEAP/MSCHAP v2
• Certificate-based Layer 2 Authentication
• IEEE 802.1x EAP/TLS

40
WLAN Security Comparisons
41
802.1X

• Defines port-based access control mechanism
• Works on anything, wired and wireless
• Access point must support 802.1X
• No special encryption key requirements
• Allows choice of authentication methods using EAP
• Chosen by peers at authentication time
• Access point doesnt care about EAP methods
• Manages keys automatically
• No need to preprogram wireless encryption keys

42
802.1X using EAP/TLS or MSCHAPv2
802.11/.1XAccess Point
RADIUS (IAS)
Server Certificate
Domain User/Machine Certificate
3, 5, 7
1, 2, 6
EAP Connection
4
Certification Authority
Laptop
Domain Controller
DHCP
Exchange
File Server
43
Wi-Fi Protected Access (WPA)

• A specification of standards-based, interoperable
  security enhancements that strongly increase the
  level of data protection and access control for
  existing and future wireless LAN systems
• Goals
• Enhanced Data Encryption
• Provide user authentication
• Be forward compatible with 802.11i
• Provide non-RADIUS solution for Small/Home
  offices (WPA-PSK)
• Products shipping

44
Best Practices

• Use 802.1x authentication
• Organize wireless users and computers into groups
• Apply wireless access policies using Group Policy
• Use EAP/TLS and 128 bit WEP
• Set clients to force user authentication as well
  as machine authentication
• Develop a method to manage rogue APs such as LAN
  based 802.1x authentication and wireless sniffers.

45
What Firewalls Do NOT Protect Against

• Malicious traffic that is passed on open ports
  and not inspected by the firewall
• Any traffic that passes through an encrypted
  tunnel or session
• Attacks after a network has been penetrated
• Traffic that appears legitimate
• Users and administrators who intentionally or
  accidentally install viruses
• Administrators who use weak passwords

46
Understanding Application and Database Attacks
Common application and database attacks include
Buffer overruns

• Write applications in managed code

SQL injection attacks

• Validate input for correct size and type

47
Attacks Buffer Overflow

• Aka the Boundary Condition Error Stuff more
  data into a buffer than it can handle. The
  resulting overflowed data falls into a precise
  location and is executed by the system
• Local overflows are executed while logged into
  the target system
• Remote overflows are executed by processes
  running on the target that the attacker
  connects to
• Result Commands are executed at the privilege
  level of the overflowed program

48
Attacks Input validation

• An process does not strip input before
  processing it, ie special shell characters such
  as semicolon and pipe symbols
• An attacker provides data in unexpected fields,
  ie SQL database parameters

49
Implementing Application Layer Filtering
Application layer filtering includes the
following

• Web browsing and e-mail can be scanned to ensure
  that content specific to each does not contain
  illegitimate data

• Deep content analyses, including the ability to
  detect, inspect, and validate traffic using any
  port and protocol

50
Session Summary

• Introduction/Defense in Depth
• Using Perimeter Defenses
• Using ISA Server to Protect Perimeters
• Using ICF to Protect Clients
• Protecting Wireless Networks

51
(No Transcript)
52
Questions and Answers